Four zero-day vulnerabilities in Microsoft Exchange Server are being actively exploited by a state-backed threat group Hafnium from China and appear to have been adopted by other cyber attackers in widespread attacks.
At least 30,000 organizations are already thought to have been attacked in the US, but the number may be much larger globally — giving the hackers remote control over victims’ systems.
However, Bloomberg reported that at least 60,000 organizations around the globe may have been compromised in the Microsoft Exchange hack, including the European Banking Authority (EBA), a key EU financial regulator. Some small government agencies may be affected, but the victims here are a far more diverse pool of organizations from large banks to small businesses.
As to Ukraine, in our most recent check of Shodan, there are still around 49% exposed MS Exchange servers vulnerable to these exploits.
Applying the available patches should be a top priority or disconnect any vulnerable servers you may be running if you can’t patch immediately.
At this time, anyone with an Exchange server needs to take investigative steps to check for signs of compromise. We fully echo the recommendations from Microsoft and others.
WHAT HAPPENED IN SHORT?
The attacks have been traced back to January 6, 2021, when a new threat group subsequently labeled “Hafnium” by Microsoft began exploiting four zero-day bugs in Microsoft Exchange Server. The group is using virtual private servers (VPS) located in the US to try to hide its true location. Microsoft issued emergency out-of-band patches last week, saying at the time:
“In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.”
Nevertheless, only 10 percent of those vulnerable had installed the patches by Friday, though the number was rising.
Tom Burt, Microsoft’s corporate vice-president of customer service and trust, explained how hackers are exploiting these zero-day vulnerabilities.
This happens in three stages, with the first being gaining access to the Exchange Server by appearing to be someone who has authorized access thanks to CVE-2021-26855. Next, a web shell is created in order to gain remote control of the server. And finally, that remote access is used to steal data from the network.
ARE YOU AFFECTED?
The critical vulnerabilities impact on-premise Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. However, Exchange Online is not affected.
- CVE-2021-26855: CVSS 9.1: a Server Side Request Forgery (SSRF) vulnerability leading to crafted HTTP requests being sent by unauthenticated attackers. Servers need to be able to accept untrusted connections over port 443 for the bug to be triggered.
- CVE-2021-26857: CVSS 7.8: an insecure deserialization vulnerability in the Exchange Unified Messaging Service, allowing arbitrary code deployment under SYSTEM. However, this vulnerability needs to be combined with another or stolen credentials must be used.
- CVE-2021-26858: CVSS 7.8: a post-authentication arbitrary file writes vulnerability to write to paths.
- CVE-2021-27065: CVSS 7.8: a post-authentication arbitrary file writes vulnerability to write to paths.
If used in an attack chain, all of these vulnerabilities can lead to Remote Code Execution (RCE), server hijacking, backdoors, data theft, and potentially further malware deployment.
In summary, Microsoft says that attackers secure access to an Exchange Server either through these bugs or stolen credentials and they can then create a web shell to hijack the system and execute commands remotely.
HOW TO STAY SAFE FROM ATTACKS ON MS EXCHANGE
If you’ve run a scan and found that your environment hasn’t yet been compromised, and you haven’t yet patched, apply the patches released by Microsoft as soon as possible.
If you run the scan using Microsoft’s tool and see evidence that an attacker may have exploited these vulnerabilities in your environment, you are now in incident response mode.
But the approach you take may depend on your in-house resources and situation. If you don’t have an in-house security team, contact your security vendor or MSP for support. If you have an in-house incident response team, they will work to identify the next steps.
First of all, patch your installation of the Microsoft Exchange Server. If your company cannot install updates, Microsoft recommends a number of workarounds.
According to Microsoft, denying untrusted access to the Exchange server on port 443, or generally limiting connections from outside the corporate network, can stop the initial phase of the attack. But that will not help if attackers are already inside the infrastructure, or if they get a user with administrator rights to run a malicious file.
An Endpoint Detection and Response class solution (if you have internal experts) or external Managed Detection and Response service specialists can detect such malicious behavior.
Always keep in mind that every computer connected to the Internet, be it server or workstation, needs a reliable endpoint security solution to prevent exploits and proactively detect malicious behavior.
In conclusion, we provide links to additional sources of information that will help to detect vulnerability or breach
Detects whether the specified URL is vulnerable to the Exchange Server SSRF Vulnerability (CVE-2021-26855): http://bit.ly/3t4R7XR
Checks for signs of exploit from CVE-2021-26855, 26858, 26857, and 27065: http://bit.ly/3bxxj9L
This script looks for web shells dropped on Microsoft Exchange servers while they were vulnerable to the following CVE’s:
CVE-2021-26855, pre-auth SSRF, CVSS:3.0 9.1 / 8.4
CVE-2021-26857, insecure deserialization leading to privilege escalation to SYSTEM level, CVSS:3.0 7.8 / 7.2
CVE-2021-26858, post-auth file write, CVSS:3.0 7.8 / 7.2
CVE-2021-27065, post-auth file write, CVSS:3.0 7.8 / 7.2